Search code examples
pythonazure-active-directorymicrosoft-graph-apisharepoint-onlineonedrive

Not having access to sites and onedrive via ROPC in MS Graph API

I used following code to get the MS Graph API access token:

# Resource Owner Password Credentials (ROPC)
def ropc_flow_session(AUTHORITY, RESOURCE, username, password, CLIENT_ID):
  context = adal.AuthenticationContext(AUTHORITY)
  token_response = context.acquire_token_with_username_password(RESOURCE, username, password, CLIENT_ID)

  session = requests.Session()
  session.headers.update({'Authorization': f'Bearer {token_response["accessToken"]}'})
  
  return session

The RESOURCE and AUTHORITY values are:

RESOURCE = 'https://graph.microsoft.com'
AUTHORITY = F"https://login.microsoftonline.com/{tenant}"

When I call the ropc_flow_session function it returns the session that contains following header:

{'User-Agent': 'python-requests/2.22.0', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Authorization': 'Bearer {ACCESS_TOKEN_VALUE}'}

So my understanding is I have access to the registered app.
When I try to call me with https://graph.microsoft.com/v1.0/me the error message says:l

 {'error': {'code': 'Authorization_RequestDenied',
            'message': 'Insufficient privileges to complete the operation.',

I tried to have access to a shared library that the user is the owner via https://graph.microsoft.com/v1.0/sites/{TENANT}:/sites/{SITE_NAME}:/drives and it raised:

 {'error': {'code': 'accessDenied',
            'message': 'Access denied. You do not have permission to perform this action or access this resource.',

This is the list of registered App API permissions:

permission list

Based on the error messages it seems like I have connected as an application but I used ROPC and passed a specific user's username and password. Any thought is appreciated

[UPDATE] This is the decoded token that I got from jwt.ms: enter image description here

Solution

  • I already mentioned in the comments but to make it clear for others that have the same issue I bring more description here. In my case, the problem was the registered Azure app has two owners. One is my own work account and another is the service account. I added the delegated permissions with my work account and it was showing on the API permissions list. But when I checked the Enterprise applications link, it was showing that all the user consent permissions are limited to only 1 specific user

    enterprise application

    You could check that by clicking on Enterprise applications and see the user consent tab

    user consent tab


    It has two solutions to resolve the issue:

    1. Ask the admin to grant admin consent for the other user as well (in my case it was a service account)
    2. Login with the other user (in my case the service account) and add the same API permissions
      I hope this could help others with the same issue

    Thanks @shiva-keshav-varma for the helpful advice on the comments